Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploit Vendor Zerodium Puts $100,000 Bounty On Flash's New Security Feature (softpedia.com)

Posted by Soulskill on from the all-about-the-benjamins dept.

An anonymous reader writes: Zerodium, the company that buys zero-day bugs from security researchers and then sells them forward to government intelligence agencies, has put out a new bounty, this one on Adobe's Flash Player. The exploit vendor is offering $100,000 to the first researcher that finds a similar zero-day bug, capable of avoiding Flash's newly-released isolated heap memory protection feature. Previously, Zerodium offered $1 million to a security researcher for a zero-day bug in Apple's iOS 9 operating system.

57 comments

  1. Moo by sexconker · · Score: 0

    Time to make friends with someone who works at Adobe then. An easy $50,000 sounds nice.

    1. Re:Moo by Anonymous Coward · · Score: 0

      Sorry, but $50,000 is not an easy score when you lose your job because of it. No thanks.

    2. Re:Moo by mark-t · · Score: 1

      How would their boss know?

      --
      File under 'M' for 'Manic ranting'
    3. Re:Moo by Anonymous Coward · · Score: 0

      When they show up at work with a new $50,000 car that they can't afford.

    4. Re:Moo by Anonymous Coward · · Score: 0

      If you work at Adobe, you'd probably stand out more if the car you drove cost LESS than $50K.

    5. Re:Moo by mark-t · · Score: 1

      First of all, their boss would have no way to know what an employee can or cannot afford.... at least not legally.

      Secondly, not all people who would commit such an act are dumb enough to publicly flaunt illicitly acquired wealth.

      --
      File under 'M' for 'Manic ranting'
    6. Re:Moo by Anonymous Coward · · Score: 0

      You have met many people.

    7. Re:Moo by mark-t · · Score: 1

      Actually, yes I have. But how many people I have met is irrelevant to the veracity of my statement. If all people were truly that dumb, then there would be no such thing as an unsolved crime because nobody would be smart enough to get away with doing anything illegal.

      --
      File under 'M' for 'Manic ranting'
    8. Re:Moo by mysidia · · Score: 1

      If all people were truly that dumb, then there would be no such thing as an unsolved crime because nobody would be smart enough to get away with doing anything illegal.

      What makes you think unsolved crimes are people getting away with things because they are smart?

      Perhaps they just got lucky, and the investigators missed or accidentally spoiled evidence that was sitting right in front of them.

      Also, perhaps they got away with it, because the team investigating their particular crime was so dumb and incompetent, and failed to investigate things they should, and/or lazy, because they reported the right lead as ruled out (based on fallacious thinking).

    9. Re:Moo by mark-t · · Score: 1

      Perhaps.... and while it is doubtlesss fair to acknowledge the existence of such incompetence, I believe it is gross underestimation of other people to assume that most who work at a technical company like Adobe are certain to be too clueless to realize that publicly flaunting wealth that might get a person in trouble with their boss is unwise.

      That level of intellectual vacuity is what you'd expect from a fictional character in a comedic situation where the audience or reader is expected to laugh at the character's outlandish stupidity behind the character's choices more than it is a realistic expectation of an actual member of society. While I won't dismiss that it's certainly possible... but I wouldn't expect it to be particularly likely.

      Please note, Gus Gorman from Superman 3 is *NOT* a typical example of an individual that pulls in a salary like that of an average Adobe employee.

      --
      File under 'M' for 'Manic ranting'
    10. Re:Moo by Incadenza · · Score: 1

      Secondly, not all people who would commit such an act are dumb enough to publicly flaunt illicitly acquired wealth.

      But some are. This just happened yesterday:

      A police spokesman said the two suspected Dutch traffickers - arrested at stunning five-star Santiago de Compostela hotel Hostal Dos Reis Catolicos on the city’s famous Obradoiro Square - had drawn attention to themselves by “throwing 500 euro notes around as if they were water.”

    11. Re:Moo by Anonymous Coward · · Score: 0

      Adobe has almost one Flash vulnerability every single day, how can they find out?

  2. Re:Slashtards... by mark-t · · Score: 1

    Does it matter which one?

    --
    File under 'M' for 'Manic ranting'
  3. the reason is??? by FudRucker · · Score: 0

    i seem to get the hint that adobe flash vulnerabilities is used as a backdoor to gain access to people's computers???

    --
    Politics is Treachery, Religion is Brainwashing
    1. Re:the reason is??? by Anonymous Coward · · Score: 0

      probably cryptolocker type extortions

  4. Re: Slashtards... by Anonymous Coward · · Score: 0

    heh, I actually have had sex with another Slashdotter ... never thought about it that way though! But since you're offering a hundred grand, I'm certainly willing to accomodate the weirdness. It was +5 (Delightful) for sure - hackers know how things work. Try it sometime!

  5. Re: Slashtards... by Anonymous Coward · · Score: 0

    100,00 != one hundred thousand.

  6. The most value from such an exploit... by jtara · · Score: 2

    The most value from such an exploit...

    ... would be being able to accumulate a list of the users stupid enough to still have Flash installed! (Or allowing it to be run indiscriminately))

    (If you do have it, please use a flash blocker, so that you then only click on the button to run the flash on trusted sites.)

    1. Re:The most value from such an exploit... by jtara · · Score: 1

      ...because then you would have a list of gullible people.

    2. Re:The most value from such an exploit... by Anonymous Coward · · Score: 0

      Well Linux Mint still enables it by default. Firefox disables it pretty much right after you update it, and you have to click to allow each time. I don't use it anywhere except for youtube and maybe news sites.

      So what should I be doing on linux mint, and why is it still installed by default? I assume there is a reason its still there, though it may not be a good reason...

    3. Re:The most value from such an exploit... by KGIII · · Score: 1

      Probably something like:

      sudo apt-get purge adobeflash* && sudo apt-get purge pepperflash*

      That should work. Close your browser while it runs, also check Google before running those but they should work on Mint.

      --
      "So long and thanks for all the fish."
  7. Uninstall Flash by Anonymous Coward · · Score: 0

    No matter what security improvements Microsoft and Google have helped Adobe make to Flash, it's better to uninstall Flash. It reduces the attack surface and avoids the security problems in the first place. Flash had 316 security bugs in 2015 as compared to Firefox's 178. So why take the risk of 494 security bugs when it's so simple to reduce the risk to 178?

    1. Re:Uninstall Flash by epyT-R · · Score: 1

      That only leaves the gaping hole that is the browser's enabled javascript engine..

    2. Re:Uninstall Flash by Anonymous Coward · · Score: 0

      Firefox? That's so 2007... If you use Chrome, Flash is a part of it and is updated as part of Chrome. It is also able to be set to not auto-run with no additional blockers or add-ins. I have mine set to not auto-run - so I have to right-click it and allow it if I want something in Flash to run. Works great.

    3. Re:Uninstall Flash by Anonymous Coward · · Score: 0

      Firefox? That's so 2007...

      What does the year have to do with it? It's meaningless.

      So if you use Chrome you can't get rid of flash because it's built in? What a terrible idea!

    4. Re:Uninstall Flash by Anonymous Coward · · Score: 0

      Chrome on its own had 187 security bugs in 2015. Firefox without Flash is a better way to go.

    5. Re:Uninstall Flash by AHuxley · · Score: 1

      1+ for that suggestion. Remove the issue and enjoy the internet :)
      All the documents released or made public seem to show a huge trade in and demand for access into different OS.
      Stop using one of the sold and traded ways into modern OS's.

      --
      Domestic spying is now "Benign Information Gathering"
    6. Re:Uninstall Flash by Anonymous Coward · · Score: 0

      Sure, if you want Google tracking you.

      I hear people claim that they can't avoid Google, but I suspect they just aren't trying hard enough.

    7. Re:Uninstall Flash by Anonymous Coward · · Score: 0

      Sure, if you want Google tracking you.

      I hear people claim that they can't avoid Google, but I suspect they just aren't trying hard enough.

      Google is going to screw those people the hardest. Give it time. When you start hearing about massive layoffs at Google, it will start happening soon after that.

    8. Re:Uninstall Flash by ChoGGi · · Score: 1

      open chrome://plugins/ and disable it?

  8. Re: Slashtards... by Anonymous Coward · · Score: 0

    Tranny sex doesn't count.

  9. Just imagine they had to pay $100k for _every_ bug by ffkom · · Score: 1

    ... in Flash that compromises security... they would be bankrupt within a week!

  10. click-to-play by jonwil · · Score: 1

    With all the security holes in Flash these days, I dont get why browsers haven't made "click to play" for flash videos the default. No flash videos would run unless you activated them.

    1. Re:click-to-play by Anonymous Coward · · Score: 0

      And then the attackers simply find ways to bypass the click-to-play which has happened.

    2. Re:click-to-play by wvmarle · · Score: 1

      I think this is because video is just one of the many uses of Flash. It would break, for example, the menus of many sites - albeit far less than it used to be nearly a decade ago when I first installed FlashBlock, there still are some around.

  11. Arms trafficking by Etherwalk · · Score: 4, Informative

    For all the ridiculous arms export regulations around encryption historically, this actually seems much more like serious arms sales. Explicitly selling vulnerabilities, other than in a bug bounty program, is organized crime.

    1. Re:Arms trafficking by jopsen · · Score: 1

      Explicitly selling vulnerabilities, other than in a bug bounty program, is organized crime.

      Adobe certainly has a standing... Considering that all the big corps feel they have standing when researchers publically share and discuss DRM.
      There is clearly no "fair use" or "public interest" argument to be made here, quite the opposite.

    2. Re:Arms trafficking by Anonymous Coward · · Score: 0

      poorly writing code and then selling for profit knowing you are putting customers in harms way is also criminal behavior.

    3. Re:Arms trafficking by adolf · · Score: 2

      Meh.

      It's a lot like offering to pay someone who first figures out how to pick a new type of mechanical lock, and brokering that information to an interested third party.

      Is that -- should that -- be a crime?

      --
      Kid-proof tablet..
    4. Re:Arms trafficking by Lunix+Nutcase · · Score: 1

      You paid for Flash player?

    5. Re:Arms trafficking by robbak · · Score: 1

      Yes, unless the 'interested party' is the manufacturer, who will quickly recall the locks and replace them with secure ones.

      --
      Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
    6. Re: Arms trafficking by Anonymous Coward · · Score: 0

      Or the security agency who designed the fault in the lock in the first place...

    7. Re:Arms trafficking by wvmarle · · Score: 1

      Wrong comparison.

      Even perfectly constructed mechanical locks requiring a mechanical key can be picked. Or otherwise broking using force. It may be hard to pick, it may need a lot of force, but they can be broken. This as mechanical locks are always approached physically.

      A perfect digital lock can only be broken by brute forcing the cryptographic key: trying again and again, trillions of times if needed. The digital lock of course can easily rate limit this to prevent even that attack, leaving it truly unbreakable. This unless the digital lock is approached physically, but that's not the question here, we're talking about remote access. Furthermore, stumbling upon the key to one of these locks leaves all others still locked - again assuming perfect design where all keys are truly random and different.

      Software like Flash should not even be compared to a lock, but to a prison cell. No way out. Perfect brick walls, extending all around you in all directions, no doors or windows or even the drain pipe of a loo. The problem now is of course that the wall Flash built has some bricks missing, and that's where there may be a way through that wall. Telling everyone which bricks are missing shouldn't be a crime - taking advantage of that information however may very well be.

    8. Re:Arms trafficking by adolf · · Score: 1

      As we learn over and over again, there is no such thing as a perfect digital lock: These can be picked just as carefully and undetectably as any mechanical lock.

      There's no need to pick out Flash here, as even OpenBSD is not immune to imperfection.

      --
      Kid-proof tablet..
    9. Re:Arms trafficking by wvmarle · · Score: 1

      Given enough time and effort, a digital lock could become perfect: no bugs left. Of course that's a lot of effort, yet it is what we should always aim for in software, and OpenBSD is doing a great job in that respect. It's as good as unbreakable.

  12. Re:Slashtards... by Anonymous Coward · · Score: 0

    You have to toss timothy's salad while roblimo fucks your ass while he gives you a reacharound.

  13. Re:Just imagine they had to pay $100k for _every_ by Penguinisto · · Score: 2

    Pretty sure they pocket at least 5-10x that $100k for every sale they make to a governmental organization...

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  14. Re:Slashtards... by mark-t · · Score: 1

    So.... yes? Okay, too bad. I'm pretty sure somebody could have claimed the hundred otherwise.

    --
    File under 'M' for 'Manic ranting'
  15. Re:Slashtards... by Zero__Kelvin · · Score: 1

    Give it up. Nobody is having sex with you, bounty or not.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  16. Nice marketing Zerodumdum by Anonymous Coward · · Score: 1

    This is like their "we paid out (pinky in mouth) $1 million for an Apple iOS 9.1 bug".

    http://www.theinquirer.net/inquirer/news/2433087/zerodium-pays-out-usd1m-for-ios-91-untethered-jailbreak

    Except there's no evidence they did, but it was handy marketing for them. If they had, Apple could sue them and obtain the bug details (and $$$ in compensation) on a "tortuous interference in business" claim.

    So take it with a pinch of salt.

  17. Re:Slashtards... by Anonymous Coward · · Score: 0

    Says the guy who can't even get laid by his right hand.

  18. Re: Slashtards... by monkeyhybrid · · Score: 1

    But in that situation, don't your beards act like some kind of velcro?

  19. Criminal activity much? by Anonymous Coward · · Score: 0

    How is it that this is legal? Looking for ways to crack people's computing systems and then making a profit off of it?

    I guess it's because the clients of this profiteer are governments. If these people were selling to non-government entities, I would think that government would be raiding the office and throwing them all in jail. But since the government benefits from this company's practices, it's all above-board.

    captcha: confer

  20. Re:Slashtards... by cant_get_a_good_nick · · Score: 1

    Pay my wife? She'd love it....

  21. Re:Slashtards... by Anonymous Coward · · Score: 0

    I've been paying your wife for sex for years now. How else do you think she was able to buy you a holiday present? You're welcome!

  22. Re:Slashtards... by cant_get_a_good_nick · · Score: 1

    (rimshot)